pfSense Book Contradiction? ICMP Type


  • The pfSense Book states "When passing ICMP, the best practice is to only pass the required types when feasible." but then goes on to say "Allowing an ICMP type of any is typically acceptable when allowing ICMP." which reads like a contradiction to me.
    Am I missing something?

    I'm in the process of establishing best practices with regard to ICMP. I have been allowing pings across subnets by just passing any ICMP, but perhaps there is a reason for that to be inadvisable? Somewhere I recall seeing a rule controlling Source Quench (blocking it I believe) - is that anything of concern for home/small business networks? Anything else I should watch out for?

    Finally, pfctl shows me a lot of ipv6-icmp rules that I believe are automatically created. Can someone recommend a reference for learning what the implications of IPv6 are for firewalls (preferably not something written for geniuses :)?
    thanks!
    Bill

    https://docs.netgate.com/pfsense/en/latest/book/firewall/configuring-firewall-rules.html
    ICMP Type
    When ICMP is selected as the protocol, this drop-down contains all possible ICMP types to match. When passing ICMP, the best practice is to only pass the required types when feasible. The most common use case is to pass only a type of Echo Request which will allow an ICMP ping to pass.
    Tip
    Historically, ICMP has a bad reputation but it is generally beneficial and does not deserve the reputation on modern networks. Allowing an ICMP type of any is typically acceptable when allowing ICMP.

  • Rebel Alliance Developer Netgate

    "Best practice" vs "Acceptible". Both are correct as they are different scenarios.

    Should you filter ICMP so only specific types are allowed? Sure, if you want to be strict/most secure (Best practices and all)

    Is there enough danger to warrant filtering them like that? Probably not, so most people don't bother, so allowing more is acceptable to many people, even those with general security concerns.

    pf allows related errors and such back through state data anyhow so most people really only need to pass echo requests explicitly for IPv4.

    IPv6 is much different, you pretty much should be allowing everything there for ICMP as it's compulsory. pfSense drops in a bunch of ICMPv6 rules to pass the bare minimum, but passing all ICMPv6 is not bad unless you're trying to stop others from getting ping responses for local hosts. The rules from pfSense are to make sure you don't shoot yourself in the foot and break IPv6 with bad rules.